1998 matches found
GO-2026-4274 Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea...
CVE-2023-31478
An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...
CVE-2018-19367
Portainer through 1.19.2 provides an API endpoint /api/users/admin/check to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case...
CVE-2017-18895
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information user statuses via a REST API version 4 endpoint...
CVE-2024-34535
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...
CVE-2023-45671
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the / base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both...
CVE-2025-14802
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/fileid REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the...
CVE-2021-41187
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The...
CVE-2022-0218
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...
CVE-2024-39703
In ThreatQuotient ThreatQ before 5.29.3, authenticated users are able to execute arbitrary commands by sending a crafted request to an API endpoint...
PT-2026-2108
Name of the Vulnerable Software and Affected Versions Flag Forge versions 2.3.2 and below Description Flag Forge is a Capture The Flag CTF platform susceptible to a Regular Expression Denial of Service ReDoS condition. The issue resides in the user profile API endpoint, /api/user/username. The...
CVE-2025-14460
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...
CVE-2025-13419
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possibl...
CVE-2025-13419 Guest posting / Frontend Posting / Front Editor – WP Front User Submit <= 5.0.0 - Missing Authorization to Unauthenticated Media Deletion
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possibl...
CVE-2024-2035
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false,...
CVE-2025-14802 LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/fileid REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the...
WordPress plugin Guest posting / Frontend Posting / Front Editor – WP Front User Submit 安全漏洞
...
WordPress plugin FastDup 路径遍历漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A path travers...
EUVD-2026-0871
Missing Authorization vulnerability in Centreon Infra Monitoring Administration parameters API endpoint modules allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring...
CVE-2025-3654
Petlibro Smart Pet Feeder Platform (vulnerable up to 1.7.31) exposes an information disclosure via insecure API endpoint /device/devicePetRelation/getBoundDevices. Attackers can retrieve device hardware identifiers (serial numbers, MAC addresses) by supplying a pet ID, potentially enabling unauth...